CN111801924B - Apparatus, methods, and articles of manufacture for messaging using message-level security - Google Patents

Apparatus, methods, and articles of manufacture for messaging using message-level security Download PDF

Info

Publication number
CN111801924B
CN111801924B CN201980010055.1A CN201980010055A CN111801924B CN 111801924 B CN111801924 B CN 111801924B CN 201980010055 A CN201980010055 A CN 201980010055A CN 111801924 B CN111801924 B CN 111801924B
Authority
CN
China
Prior art keywords
web service
client
server
service token
web
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201980010055.1A
Other languages
Chinese (zh)
Other versions
CN111801924A (en
Inventor
Y·吴
R·韦斯特
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sensus Spectrum LLC
Original Assignee
Sensus Spectrum LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sensus Spectrum LLC filed Critical Sensus Spectrum LLC
Publication of CN111801924A publication Critical patent/CN111801924A/en
Application granted granted Critical
Publication of CN111801924B publication Critical patent/CN111801924B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The method comprises the following steps: establishing a transmission layer security connection between a client and a server providing WEB services; identifying at least one cryptographic key in the connection for communication with the WEB service; closing the connection; and communicating between the client and the WEB service using a WEB service token signed and encrypted according to the identified at least one cryptographic key. The use of WEB service tokens for communication between the client and the WEB service may not require the creation of a new transport layer security connection. Further embodiments provide a computer configured to perform the operations described above, and a computer-readable medium storing instructions that, when executed by the computer, perform the operations described above.

Description

Apparatus, methods, and articles of manufacture for messaging using message-level security
Background
The present subject matter relates to computer networking methods, apparatus, and articles of manufacture, and more particularly to methods, apparatus, and articles of manufacture for secure communications in a computer network.
Networking applications typically involve the transfer of messages between a sending node and a receiving node via various other intermediate nodes. Such communications can be vulnerable to interception, spoofing, and other forms of attack due to the need for communication via these intermediate nodes. For example, such communications can be susceptible to so-called "man-in-the-middle" (MITM) attacks, in which an attacker intercepts messages from parties at an intermediate node and alters communications between parties by masquerading as one of the parties.
Conventional techniques for protecting against MITM attacks typically employ some type of authentication to establish a secure channel between parties and use the secure channel to establish one or more cryptographic keys to be used to secure subsequent communications between parties. For example, transport Layer Security (TLS) (and its predecessor Secure Sockets Layer (SSL)) typically involves initiating a session using a handshake protocol that establishes symmetric keys for communication between parties during the session. Handshaking typically involves the exchange of one or more security certificates, the verification of the exchanged certificate(s) by a certificate authority, and the establishment of a symmetric key in response to the verification of the certificate(s). For the rest of the TLS (or SSL) session, a symmetric key is used to encrypt messages between parties.
Disclosure of Invention
Some embodiments of the inventive subject matter provide methods of operating a client. The method comprises the following steps: establishing a transport layer security connection with a server providing WEB services; identifying at least one cryptographic key for communication of a WEB service in the connection; closing the connection; and communicate with the WEB service using a WEB service token signed and encrypted according to the identified at least one cryptographic key. In some embodiments, communication with the WEB service using the WEB service token does not require creation of a new transport layer security connection.
According to some embodiments, identifying the at least one cryptographic key may include identifying a client private key and a server public key, and communicating with the server using the signed WEB service token may include transmitting the WEB service token signed by the client private key and encrypted by the server public key. According to a further embodiment, identifying the at least one cryptographic key may include identifying a client public key and a server private key, and wherein communicating with the server using the signed WEB service token includes receiving a WEB service token signed by the server private key and encrypted by the client public key.
In some embodiments, identifying at least one cryptographic key for a WEB service in the connection may include: transmitting the credentials; receiving a first WEB service token of the WEB service corresponding to the certificate; exchanging security credentials with the WEB service using the first WEB service token to identify at least one cryptographic key. Communicating with the WEB service using the WEB service token may include communicating with a second WEB service token signed and encrypted according to the identified at least one cryptographic key.
In some embodiments, the WEB service token may comprise a signed and encrypted JavaScript object notation (JSON) WEB service token (JWT). JWTs may use JSON WEB Signing (JWS) format and JSON WEB Encryption (JWE) format.
Further embodiments provide a computer configured to perform the client operations described above. Additional embodiments include a computer-readable medium storing instructions that, when executed by a computer, perform client operations as described above.
Some embodiments of the inventive subject matter provide methods of operating WEB services. The method comprises the following steps: establishing a transport layer security connection with a client; identifying in the connection at least one cryptographic key for communication with a WEB service hosted by the server; closing the connection; and communicating with the client using a WEB service token signed and encrypted according to the identified at least one cryptographic key. Communication with the client using the WEB service token may not require creation of a new transport layer security connection.
In some embodiments, identifying the at least one cryptographic key may include identifying a server public key and a client private key, and communicating with the server using the WEB service token may include receiving the WEB service token signed by the client private key and encrypted by the server public key. In further embodiments, identifying the at least one cryptographic key may include identifying a server private key and a client public key, and communicating with the server using the signed WEB service token may include transmitting the WEB service token signed with the server private key and encrypted with the client public key.
According to some embodiments, identifying at least one cryptographic key for a WEB service in the connection may include: receiving a credential; transmitting a first WEB service token of the WEB service corresponding to the certificate; and exchanging security credentials with the client using the first WEB service token to identify the at least one cryptographic key. Communicating with the client using the WEB service token may include communicating with a second WEB service token signed and encrypted with the identified at least one cryptographic key.
Still further embodiments of the present subject matter provide methods of communicating between a client and a WEB service. The method comprises the following steps: establishing a transmission layer security connection between a client and a server providing WEB services; identifying at least one cryptographic key in the connection for communication with the WEB service; closing the connection; and communicating between the client and the WEB service using a WEB service token signed and encrypted according to the identified at least one cryptographic key. The use of WEB service tokens for communication between the client and the WEB service may not require the creation of a new transport layer security connection.
Further embodiments provide a computer configured to perform WEB service operations as described above. Additional embodiments provide a computer-readable medium storing instructions that, when executed by a computer, perform WEB service operations as described above.
Drawings
Fig. 1 is a schematic diagram illustrating a network environment in which the inventive subject matter may be applied.
Fig. 2 is a flow chart illustrating operations for secure communications in accordance with some embodiments of the present subject matter.
Fig. 3 is a flow chart illustrating operations for secure communications in accordance with further embodiments.
Fig. 4 is a schematic diagram illustrating a client-server system in which embodiments of the inventive subject matter may be employed.
Fig. 5 is a message flow diagram illustrating a registration operation in the system of fig. 4.
Fig. 6 is a message flow diagram illustrating a firmware update operation for the system of fig. 4.
Fig. 7 is a message flow diagram illustrating a de-registration operation in the system of fig. 4.
Detailed Description
Specific exemplary embodiments of the inventive subject matter will now be described with reference to the accompanying drawings. This inventive subject matter may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the inventive subject matter to those skilled in the art. In the drawings, like numerals denote like items. It will be understood that when an item is referred to as being "connected" or "coupled" to another item, it can be directly connected or coupled to the other item or intervening items may be present. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the inventive subject matter. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless expressly stated otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the inventive subject matter belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the present specification and relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Some embodiments of the inventive subject matter result from the recognition that: reduced overhead and potentially increased resistance to MITM and other attacks can be provided by messaging between clients and WEB services using a message-level security scheme that uses WEB service tokens (e.g., javaScript object notation (JSON) WEB tokens (JWTs)) signed and encrypted with a private/public key pair established in an initial TLS (or SSL) connection that establishes a bilateral root of trust. The WEB service token can be used for communication after the initial transport layer secure connection is closed, thus eliminating the need to establish a new TLS connection for each communication session between the client and the server. The key used to generate the WEB service token can be terminated by expiration with respect to the payload included therein and/or can be terminated by the client or WEB service.
This approach can be particularly advantageous in applications where communication sessions between clients and WEB services occur sporadically. As described herein, such techniques may be advantageously used in communication between a firmware manager client and WEB services provided by a tower gateway base station (TGB) that serves multiple meters or other sensing devices, for example. This approach can reduce the overhead for such communications, can reduce the likelihood that credentials for accessing WEB services can be intercepted, and can also allow both the client and WEB services to initiate communications due to the bilateral nature of the trust relationship.
FIG. 1 illustrates a network environment in which embodiments of the inventive subject matter may be employed. A client 112 residing at a client device 110 (e.g., a computer, mobile terminal, or other device) is configured to communicate via a network 130 with a WEB service 122 residing at a server 120 (e.g., a computer, base station, or other device). The client 112 and WEB service 122 are configured to provide message-level secure communication functions 114 and 124, the message-level secure communication functions 114 and 124 providing message-level security that eliminates the need for repeated creation of TLS/SSL sessions.
In particular, referring to FIG. 2, a connection with Transport Layer Security (TLS) is established between client 112 and WEB service 122 via network 130 (block 210). While there is a connection, at least one key pair for subsequent communication between client 112 and WEB service 122 is identified (block 220). After closing the connection (block 230), the client 112 and the WEB service 122 can continue to communicate with each other using a WEB service token (block 240), which is signed and encrypted according to at least one key pair. This allows communication to occur without the need to reestablish a new transport layer secure connection.
Fig. 3 illustrates operations according to further embodiments. The TLS connection is established between the client and the WEB service using any of a number of known techniques (block 310). To initiate the establishment of a bilateral root of trust, the client passes credentials (e.g., username/password) to the WEB service (block 320). In response, the WEB service authenticates the credential and returns an authentication token to the client (block 330). Using the authentication token, the client and server exchange security credentials and identify a public/private key (block 340). The TLS connection is then terminated (block 350). The client and server then communicate using the WEB service token, which is signed and encrypted using the identified public/private key pair (block 360). The WEB service token key pair may then be invalidated either unilaterally by the WEB service and/or in response to, for example, the expiration of a predetermined validity period or a request from the client.
As described above, the communication operations along the lines described above may be advantageously used in applications in which clients and WEB services communicate on a sporadic basis. For example, referring to FIG. 1, a smart grid or other utility monitoring system may employ a plurality of smart devices, such as meters 440 and sensors 450, that are linked to a tower gateway base station (TGB) 430 via a radio link. TGB 430 may be linked to firmware manager client 412 residing at remote device 410 via network 420. Firmware manager client 412 may be configured to update firmware on TGB 430 via communication with one or more WEB services 432 residing at TGB 430, the one or more WEB services 432 collecting data from meter 440 and sensor 450.
Fig. 5 illustrates a representative message flow for registration between such manager client and a TGB WEB service in accordance with further embodiments. After initiation of the TLS session (501), the manager transmits a login request, which includes a user name and cryptographic credentials (502). After verifying the credentials, the WEB service generates a JavaScript object notation (JSON) WEB service token (JWT) for use during the authentication process (503), and communicates the token to the manager (504). The manager and WEB service exchange security certificates using authentication JWTs and responsively identify private/public key pairs for the manager and server (505-512). The manager then assigns a unique ID (513-515) for the TGB WEB service that the TGB WEB service holds and validates. Next, the manager sends a URL that the TGB Web service can use to download a firmware package (package), which the TGB Web service saves and validates (516-518). The manager then transmits a request for a token to be invalidated (519), and the WEB service responsively invalidates the token and indicates to the manager that it is invalid (520 and 521). The TLS connection may then be terminated 522.
After this registration process, communication between the client and the WEB service may then proceed using the private/public key pair identified during the TLS session. In particular, a client may initiate such communications by transmitting a JWT signed according to its private key (e.g., using the JSON WEB Signing (JWS) compact serialization format as defined in IETF RFC 7515) and encrypted according to the server's public key (e.g., using the JSON WEB Encryption (JWE) compact serialization format as defined in IETF RFC 7516). The server can decrypt such a token using its private key and verify that the signature of the token corresponds to the client. Similarly, the server can initiate a communication by transmitting a JWT signed by its private key and encrypted by the client's public key.
For example, fig. 6 illustrates operations for monitoring the configuration of software residing at a turret table in the system of fig. 4. The manager transmits a message instructing the TGB to refresh its copy of the manifest of the software package from the software repository ("repository" in fig. 6) that has the expected (up-to-date) manifest (610). The transmission uses the previously established key pair to create the JWT, thus eliminating the need for logging in. The location of the database may be previously transferred from the manager to the TGB in a message that includes the location of the database (e.g., URL) and the credentials needed to access the database. The TGB uses the previously established location and credentials to transmit a request for a manifest to the database (620) and receives a manifest file from the database (630). The TGB saves the manifest file, where it is compared to the current installation package (640 and 650). The TGB reports the results to the manager (660).
Fig. 7 illustrates operations for deregistering (unregister) according to further embodiments. Along the lines described above, a TLS session is created between the manager and the TGB (701). The manager transmits a login request (702) comprising a username/password combination, and the TGB generates and transmits a JWT that is used to generate a key pair for use in subsequent messaging (703 and 704). Subsequently (e.g., after one or more message exchanges), the manager may transmit a "de-registration" request message (705). In response, the TGB deletes the public key associated with the JWT for the request (706) and acknowledges the deregistration request (707). The manager may then transmit a logoff request (708), and the TGB responsively invalidates the token (invalidates the key). Subsequent token-enabled communications between the manager and the tower will require re-establishment of the bilateral root of trust, as described above with reference to fig. 5.
It will be appreciated that the implementations described above with reference to fig. 4-7 are provided for illustrative purposes only, and that the inventive subject matter may be implemented in any of a number of different applications.
In the drawings and specification, there have been disclosed exemplary embodiments of the inventive subject matter. Although specific terms are employed, they are used in a generic and descriptive sense only and not for purposes of limitation, the scope of the inventive subject matter being defined by the following claims.

Claims (15)

1. A method of operating a client, the method comprising:
establishing a secure transport layer security connection with a server providing WEB services;
transmitting credentials of the client to the server;
receiving a first Web service token of the Web service corresponding to the credential from the Web service;
exchanging security credentials with the WEB service using the first WEB service token to identify at least one cryptographic key; and
closing the secure transport layer security connection; and
data communication with the WEB service using a second WEB service token created, signed, and encrypted by the client and one of the WEB services transmitting the data in accordance with the identified at least one cryptographic key to pass the data between the client and the server without re-transmitting the credentials to the server to create a new transport layer security connection.
2. The method of claim 1, wherein identifying at least one cryptographic key comprises identifying a client private key and a server public key, and wherein communicating with the server using the second WEB service token comprises transmitting a WEB service token signed by the client private key and encrypted by the server public key.
3. The method of claim 1, wherein identifying at least one cryptographic key comprises identifying a client public key and a server private key, and wherein communicating with the server using the second WEB service token comprises receiving a WEB service token signed by the server private key and encrypted by the client public key.
4. The method of claim 1, wherein the second WEB service token comprises a signed and encrypted JavaScript object notation (JSON) WEB service token (JWT).
5. The method of claim 4, wherein the JWT uses JSON WEB Signing (JWS) format and JSON WEB Encryption (JWE) format.
6. A computer configured to perform the method of claim 1.
7. A computer readable medium storing instructions which, when executed by a computer, perform the method of claim 1.
8. A method of operating a server, the method comprising:
establishing a secure transport layer security connection with the client;
receiving a credential;
transmitting a first WEB service token of the WEB service corresponding to the certificate;
exchanging security credentials with the client using the first WEB service token to identify at least one cryptographic key;
closing the secure transport layer security connection; and
data communication with the client is performed using a second WEB service token created, signed, and encrypted by the client and one of the WEB services transmitting the data in accordance with the identified at least one cryptographic key to pass the data between the client and the server without receiving the credentials again at the server to create a new transport layer security connection.
9. The method of claim 8, wherein identifying at least one cryptographic key comprises identifying a server public key and a client private key, and wherein communicating with the server using the second WEB service token comprises receiving a WEB service token signed by the client private key and encrypted by the server public key.
10. The method of claim 8, wherein identifying at least one cryptographic key comprises identifying a server private key and a client public key, and wherein communicating with the server using the second WEB service token comprises transmitting a WEB service token signed by the server private key and encrypted by the client public key.
11. The method of claim 8, wherein the second WEB service token comprises a signed and encrypted JavaScript object notation (JSON) WEB service token (JWT).
12. The method of claim 11, wherein the JWT uses JSON WEB Signing (JWS) format and JSON WEB Encryption (JWE) format.
13. A computer configured to perform the method of claim 8.
14. A computer readable medium storing instructions which, when executed by a computer, perform the method of claim 8.
15. A method of communicating between a client and a WEB service, the method comprising:
establishing a secure transport layer security connection between the client and a server providing the WEB service;
transmitting credentials from the client to the server;
transmitting a first WEB service token of the WEB service corresponding to the credential from the WEB service to the client;
exchanging security credentials between the client and the WEB service using the first WEB service token to identify at least one cryptographic key;
closing the secure transport layer security connection; and
data communication is performed between the client and the WEB service using a second WEB service token created, signed, and encrypted by the client and one of the WEB services transmitting the data in accordance with the identified at least one cryptographic key to pass the data between the client and the server without again passing the credentials at the server to create a new transport layer security connection.
CN201980010055.1A 2018-01-26 2019-01-15 Apparatus, methods, and articles of manufacture for messaging using message-level security Active CN111801924B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US15/881151 2018-01-26
US15/881,151 US11546310B2 (en) 2018-01-26 2018-01-26 Apparatus, methods and articles of manufacture for messaging using message level security
PCT/US2019/013652 WO2019147436A1 (en) 2018-01-26 2019-01-15 Apparatus, methods and articles of manufacture for messaging using message level security

Publications (2)

Publication Number Publication Date
CN111801924A CN111801924A (en) 2020-10-20
CN111801924B true CN111801924B (en) 2023-05-12

Family

ID=65324584

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980010055.1A Active CN111801924B (en) 2018-01-26 2019-01-15 Apparatus, methods, and articles of manufacture for messaging using message-level security

Country Status (9)

Country Link
US (1) US11546310B2 (en)
EP (1) EP3744062A1 (en)
JP (1) JP7389754B2 (en)
KR (1) KR20200118074A (en)
CN (1) CN111801924B (en)
AU (1) AU2019212026B2 (en)
CA (1) CA3089203A1 (en)
MX (1) MX2020007907A (en)
WO (1) WO2019147436A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3834449A4 (en) * 2018-08-10 2022-05-04 Nokia Technologies Oy Network function authentication based on public key binding in access token in a communication system
US11528140B2 (en) 2021-02-09 2022-12-13 International Business Machines Corporation Compromised access token invalidation in a singleton process
US11632362B1 (en) * 2021-04-14 2023-04-18 SHAYRE, Inc. Systems and methods for using JWTs for information security
US20230171240A1 (en) * 2021-11-26 2023-06-01 Cisco Technology, Inc. Web tokens for enhanced microservice obervability
CN114679276B (en) * 2022-02-18 2024-04-23 支付宝(杭州)信息技术有限公司 Identity authentication method and device of time-based one-time password algorithm

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1906886A (en) * 2004-01-08 2007-01-31 国际商业机器公司 Establishing a secure context for communicating messages between computer systems
CN104115465A (en) * 2012-01-20 2014-10-22 交互数字专利控股公司 Identity management with local functionality

Family Cites Families (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7100200B2 (en) 2001-06-13 2006-08-29 Citrix Systems, Inc. Method and apparatus for transmitting authentication credentials of a user across communication sessions
US7853995B2 (en) * 2005-11-18 2010-12-14 Microsoft Corporation Short-lived certificate authority service
JP5179471B2 (en) * 2006-04-10 2013-04-10 モデール ビー.ブイ. Apparatus and method for securely transmitting data
US8327142B2 (en) 2006-09-27 2012-12-04 Secureauth Corporation System and method for facilitating secure online transactions
US8225096B2 (en) * 2006-10-27 2012-07-17 International Business Machines Corporation System, apparatus, method, and program product for authenticating communication partner using electronic certificate containing personal information
US8543829B2 (en) * 2007-01-05 2013-09-24 Ebay Inc. Token device re-synchronization through a network solution
US20100217975A1 (en) * 2009-02-25 2010-08-26 Garret Grajek Method and system for secure online transactions with message-level validation
US8527774B2 (en) * 2009-05-28 2013-09-03 Kaazing Corporation System and methods for providing stateless security management for web applications using non-HTTP communications protocols
JP5452192B2 (en) 2009-12-02 2014-03-26 Kddi株式会社 Access control system, access control method and program
US8799640B2 (en) * 2010-02-27 2014-08-05 Novell, Inc. Techniques for managing a secure communication session
FR2981531A1 (en) 2011-10-14 2013-04-19 France Telecom METHOD OF TRANSFERRING THE CONTROL OF A SECURITY MODULE FROM A FIRST ENTITY TO A SECOND ENTITY
US9426140B2 (en) * 2013-09-09 2016-08-23 Layer, Inc. Federated authentication of client computers in networked data communications services callable by applications
JP2017046179A (en) 2015-08-26 2017-03-02 日本電信電話株式会社 Terminal support system and terminal support method
US20180075677A1 (en) 2016-09-09 2018-03-15 Tyco Integrated Security, LLC Architecture for Access Management
DE102017211267A1 (en) * 2017-07-03 2019-01-03 Siemens Aktiengesellschaft Method for protecting a certificate request of a client computer and corresponding communication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1906886A (en) * 2004-01-08 2007-01-31 国际商业机器公司 Establishing a secure context for communicating messages between computer systems
CN104115465A (en) * 2012-01-20 2014-10-22 交互数字专利控股公司 Identity management with local functionality

Also Published As

Publication number Publication date
CN111801924A (en) 2020-10-20
AU2019212026B2 (en) 2023-06-01
EP3744062A1 (en) 2020-12-02
KR20200118074A (en) 2020-10-14
JP2021511613A (en) 2021-05-06
JP7389754B2 (en) 2023-11-30
CA3089203A1 (en) 2019-08-01
AU2019212026A1 (en) 2020-08-13
US20190238518A1 (en) 2019-08-01
US11546310B2 (en) 2023-01-03
WO2019147436A1 (en) 2019-08-01
MX2020007907A (en) 2020-09-07

Similar Documents

Publication Publication Date Title
CN111801924B (en) Apparatus, methods, and articles of manufacture for messaging using message-level security
US10853772B2 (en) Method and system for exchange of value or tokens between blockchain networks
Tschofenig et al. Transport layer security (tls)/datagram transport layer security (dtls) profiles for the internet of things
CN108650227B (en) Handshaking method and system based on datagram secure transmission protocol
US11082403B2 (en) Intermediate network entity
CN101371550B (en) Method and system for automatically and freely providing user of mobile communication terminal with service access warrant of on-line service
US11336641B2 (en) Security enhanced technique of authentication protocol based on trusted execution environment
US9398049B2 (en) Method and device for securely transmitting data
US20190239068A1 (en) Registration of an Internet of Things (IoT) Device Using a Physically Uncloneable Function
US20140337619A1 (en) Derived Certificate based on Changing Identity
KR20180095873A (en) Wireless network access method and apparatus, and storage medium
US7055170B1 (en) Security mechanism and architecture for collaborative software systems using tuple space
EP2786607A1 (en) Mutually authenticated communication
GB2598669A (en) Server-based setup for connecting a device to a local area newwork
CN111226418A (en) Device-enabled zero-contact bootstrapping for a cross-network perimeter firewall
Fossati RFC 7925: Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things
CN108259486B (en) End-to-end key exchange method based on certificate
CN110855561A (en) Intelligent gateway of Internet of things
JP2014147039A (en) Cryptocommunication device, proxy server, cryptocommunication system, cryptocommunication program and proxy server program
Sigholt et al. Keeping connected when the mobile social network goes offline
CN107835196B (en) HDLC-based secure communication method
CN107846279B (en) Security protection component interconnection structured system and implementation method
JP5107823B2 (en) Authentication message exchange system and authentication message exchange method
Vishwakarma et al. Attacks in a PKI-Based Architecture for M-commerce
JP4583424B2 (en) Session management apparatus, method, and program for establishing encrypted communication channel between terminals

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant